Back to Basics: Hardening Computers & Smartphones
*Note: This article was originally published by the author on September 16, 2019.
Too often, I‘ve noticed that Information Security professionals write articles that target their own peers who already possess a high level of understanding of cybersecurity principles. That’s all fine and well if you’re writing a technical whitepaper or something, but I don’t believe that enough is being done to educate the everyday, ordinary users with regard to basic steps that anyone can take to bolster computer and smartphone security. Implementing these cybersecurity best practices I am about to share with you can help protect you, your personal information, and your computing devices. Consider this a short “Back-to-Basics” guide that will focus on relevant basic cybersecurity best practices for Internet users of all skill and knowledge levels, but especially useful for everyday general users.
As a retired Marine, I am all about keeping things simple and getting back-to-basics. Ok, crayon-eating jokes aside — You’ll notice this theme throughout most of my writings if you’ve read any of my other work. I believe that life and particularly technology are complicated enough without complicated diagrams and explanations of how it all works. However, I do believe that it is important to understand and practice basic cybersecurity hygiene practices that will protect your devices, but more importantly, you’re sensitive information no matter who you are.
As the definition states, to harden something is to make it more secure against attacks. It’s like weatherproofing a house against a hurricane or bulletproofing a military vehicle by adding heavy armor to the exterior. The house or vehicle might sustain still some damage, but the logic is that it will remain mostly intact and functional while protecting what is contained within it after the storm or attack has ended.
Foundation of Basic Computer Security Principles
As everyday users of computer technology, it is not imperative that you have a deep understanding of the security concepts and principles at play other than to know what they are so that you have a basic understanding of why they exist and how they help provide a multi-layered shield of protection against all kinds of threats.
- Confidentiality — the protection of information against unauthorized access
- Integrity — the protection of information against unauthorized modification of data
- Availability — the protection of your ability to access your information
Better known as the C-I-A triad model, it serves as the foundation of cybersecurity. Sure, there’s a lot more than this but let’s not over-complicate things. Whenever you are thinking in terms of computers, applications, smartphones, tablets, or really any type of electronic device, it helps to put it into the context of the C-I-A triad model and assign risk levels to them such as low-medium-high. Is viewing Facebook on your home computer browser a low, medium, or high on confidentiality risk? I’d argue it’s low risk. However, realize that each website you visit will require cookies that track your usage activity and preferences.
Some cookies, like Facebook’s, have been known to track your browser activity even after a user has closed the Facebook browser tab… Beware. Repeat the same question for integrity and availability, you get the idea but also, how important are each of these pillars of cybersecurity to you, the user? If a user is supremely concerned with being able to access their data (i.e., availability), then perhaps they are more willing to accept less integrity and confidentiality because there are always tradeoffs in any technology when it comes to security.
Remove All Unnecessary Applications
Reduce the attack surface on the computer by removing unnecessary software applications. Do the same on your smartphone by uninstalling all of the Apps you don’t want or need. Some you are baked into the OS though, which requires more advanced skill and knowledge to eradicate. The Windows OS, for example, is pre-loaded with “bloatware” that a lot of users don’t know exists let alone want on their computers. Think of every service and application running on your computer and smartphone as a unique avenue of attack, often with their own unique port numbers they use as a channel to communicate on. Uninstall program applications that you don’t use because otherwise, it could be a way inside your system for attackers if there are unpatched vulnerabilities that can be exploited. All OS types have similar vulnerabilities. Mac users used to think that Macs didn’t have viruses or malware, then cyber criminals began focusing on that OS… Every OS type is susceptible to malware, patch your systems people.
The Principle of Least Privilege
The principle of least privilege is just as simple as it sounds. It involves only giving a user the minimum system access and permissions they need in order to perform whatever job-related tasks their specific role requires. For individuals using a computer at home, this principle doesn’t have a lot of significance but it can be useful to remember if you have kids. If you don’t lock down and monitor your kids’ computers and smartphones, they will eventually find their way into trouble or abuse the technology in some way.
Don’t fault yourself as a parent, we all did the same thing when we were their age. But now there are some really dangerous threats online like child predators, cyberbullying, and financial scams that less-wise children are more apt to fall for. So, by all means, it is a good idea to use the principle of least privilege when it comes to configuring computer devices for your kids. Set parental controls, locks, and monitor their activity. During the school week, my wife and I set our kids’ tablets to shut off Internet access at a certain time so they can wind down before going to bed.
- Ensure your computer’s operating system (OS) is up-to-date by determining whether updates need to be installed.
- Anti-Virus- Avast has an excellent free version, but really any AV vendor that is top-rated should do the trick. You want daily scans of your computer/smartphone as every day there are millions of new strains of malware released into the wild.
- Anti-Spyware software like the free version of Spybot is also a good idea to use.
Changing Default Account Passwords
One of the first things you should do on your home Wi-Fi router or any electronic device actually is to update the firmware and change the “admin/admin” default password on it. Remember, you’re connecting it to the Internet where it can and probably will be scanned for vulnerabilities by anyone from anywhere in the world. If they discover you’re using the default password, they can break into your router and your system. That’s No Bueno! Don’t let that happen!
Enable Automatic Updates
This one is pretty self-explanatory in my humble opinion. Update your software frequently, or suffer the consequences of exploits… The best way to stay up-to-date is to enable automatic updates.
Use a Password Manager
It is still a best practice to use long passwords or better yet, passphrases but also it’s just as important that you never use the same password or passphrase twice! So, how is anyone supposed to remember all of those passwords? Easy, use a reputable password manager service such as Bitwarden or 1Password, both of which offer free service levels. You only have to set one really good passphrase that is called your “master password” which will serve as the decryption key to unlock all of the rest of your passwords. I know that some people are averse to this concept due to the fact that putting all of their “eggs” in one basket seems extremely dangerous, but password managers are as safe a bet as any other password memory method.
DO NOT ENABLE SAVED PASSWORDS IN YOUR BROWSER!! This is just asking to be hacked. In fact, anyone who gets a hold of your computer in an unlocked state will have access to your passwords in your browser. If an attacker is able to remotely compromise your machine through malware or some other means, they will have access to these passwords.
KeePass Password Safe is another option that works with both your computer and mobile phone. What’s different about KeePass is that you can download the password manager application to your computer or smartphone (or both!) and save all of your passwords locally in an encrypted vault on your C:\ which is better than storing them on a website, in a Web browser, writing them down somewhere, or saving your passwords to a text file and protecting it with a password. Writing your passwords down is not entirely unsafe, but most people are lazy and just leave them on a yellow sticky note someplace next to your computer or under the keyboard. Though this may seem like the “easy” option, it is a sure-fire way to get your account compromised and if you do this at work you could face disciplinary action.
One of the best things about using a password manager is that changing passwords is very easy. Oh, you want a 50-character password with upper and lowercase letters, numbers, and symbols? No problem. Here are 50 of them to choose from. Also, there are built-in features that will test the strength of your passwords and check if any are repeated elsewhere which could allow an attacker to perform what is known as “credential stuffing” on different websites one of your compromised passwords from some other data breach password dump. You don’t want that happening, so it’s best to just get in the habit now of using unique passwords for each website you have an account with.
Remember also that less is more on the Internet. If you don’t need to create an account on a website or enter personal information, then don’t! You don’t know how safe your personal information is being protected by the website owner or if there is a malicious insider stealing or leaking sensitive data. The less information you publish about yourself, the better off your privacy is.
Use Two-Factor Authentication (2FA)
This one should go without saying, but a lot of people seem to have a hard time with this best practice. Passwords are a weak form of protection, they always have been but it hasn’t been until recently that technological advancements have allowed for stronger security measures to be implemented. It’s nearly 2020 netizens, if you’re still relying on passwords to keep all of your online secrets then I dare say you’re a bit antiquated. Yes, passwords are the first line of defense, but be smart and take the 2 minutes it takes to set up 2FA on your accounts especially for really important accounts like online banking, Email, etc.
Having some type of firewall is important if you’re going to be connected to the Internet. Since most of us do not use a standalone computer, having a firewall is important so that it blocks potentially harmful malware and attacks on your system. Most OSs come with their own firewall, but you can also download and configure free versions like pfSense. If you’re running Windows which statistically is the most used operating system, it’s perfectly fine to use the Windows Defender firewall that comes free with the OS. It’s come a long way. Microsoft has worked hard to make Windows Defender very competitive with other paid firewall and Anti-Virus (AV) products. If you prefer to use another AV product such as Avast Premium Security, MalwareBytes, or Kaspersky, when you install it you will have to give it permission to manage your firewall settings. However, you are still able to modify the settings as you like or you can use the default settings.
Lock Your Computer or Device When Not Present
Physical security is integral to computer security. Without it, any notion of computer security you thought you had becomes completely unraveled. Therefore, whenever you get up from your desk or when in a public place, make sure you get in the habit of locking your screen. To unlock your computer, the proper password or PIN should be required (HINT: Don’t use “Password1” or any derivation of such).
Beware of Suspicious Emails, Attachments, & Links
Yes, all it takes is one wrong click in an Email or on a website to infect your computer or smartphone with malware. So, be very careful and discriminatory when it comes to opening Emails from any sender that you don’t trust. Also, never open an email attachment from a sender that you don’t know. In fact, even if it is from a sender that you trust, it is a good habit to get into to scan the file first with anti-virus/malware software to check it first before downloading it and opening the file.
I know what you’re thinking…
Haha, that’s not realistic though. Use caution, we’ll leave it at that.
Treat Smartphones Like The Computers They Are!
Many people don’t consider a smartphone to be a computer, but nothing could be further from reality. The rapid advances of modern technology have put the power of a desktop computer into the palm of your hand, but make no mistake about it. Smartphones are susceptible to hacking, viruses, and malware just like computers — because they are computers with processor chips, memory, operating systems, and program applications. So, I ask you, why wouldn’t you want to spend a little more dough to properly protect it?
If you own a smartphone like so many people around the world do these days, it is pretty much your entire life all rolled up into this tiny computer that makes phone calls, has GPS navigation, a digital recorder, takes pictures and videos, does video chat, takes notes, dictates notes, has an alarm clock, calculator, timer, plays video games, Internet browsing, personal assistant, online banking, mobile check deposits, small business chip card reader, access Cloud storage applications, the list goes on and on and well, you get the point… There literally is an App for everything it would seem. There is no end to what people use their smartphones for these days. Many people would be utterly lost without their smartphones, which is why it baffles me when I see people that leave their smartphones unprotected and/or leave them lying around somewhere for anyone to steal or thumb through.
Think of your smartphone as the digital gateway to your identity. You want to protect that, right? Remember that it is a miniature computer complete with volatile and non-volatile memory, an operating system (Android, iOS, Windows, etc.). And if we are in agreement that a smartphone is a computer, which it clearly is, then you should install AV software on it to protect it from viruses and malware.
- Enable Full Disk Encryption (FDE) — iPhones come pre-manufactured with FDE, so no worry there iPhone users. However, for Android users, you must enable this feature aftermarket by navigating to Settings>>Biometrics and security>>Secure startup>>Require PIN when the device turns on (i.e., depending on your Android version it may be slightly different). You want to use an 8-digit PIN for better password entropy. You could also require a password to unlock your phone, but that is going to get old extremely fast. Even an 8-digit PIN though will not afford you protection from brute-force attacks against a skilled attacker using password cracking technology.
- Enable a screen lock of some type, PIN, password, biometric fingerprint, or a retinal scanner. The strongest PIN security is an 8-digit PIN or password, just keep in mind that you’ll be entering this PIN or password every time you need to unlock your phone. You can also set a combination of screen locks such as a fingerprint or geometric shapes for unlocking the screen after the phone has been turned on and booted up or perhaps an 8-digit PIN for unencrypting the device before boot up. The point is to have protection on your smartphone so that no one can just pick it up and have access to your entire phone.
- Enable remote wipe in case your smartphone is stolen.
- Install Anti-Virus software — With AV software products, you get what you pay for. Check the ratings ahead of time of other users, read the reviews. Read the PC Magazine editor’s best picks. Purchasing the premium protection version is better if affordable because they typically offer more services than just AV protection. Pick a vendor product that is highly rated, not too pricey, works well, and isn’t too clunky which could result in degraded phone speed performance.
- Install a paid, no-logging Virtual Private Network (VPN) application from privacytools.io to protect your Internet browsing activity from snoopers when you’re using public Wi-Fi hotspots. This won’t stop law enforcement or Big Brother (i.e., Government) from being able to track you but it should protect against your Internet Service Provider (ISP) and Hacker Bob at Starbucks from seeing what you’re doing online. You should know that there are a lot of unscrupulous VPN vendors out there advertising that they don’t collect your Internet browser activity or sell that your data to other collectors. Do your homework first before choosing a VPN provider and remember that you get what you pay for. No “free” service is ever really free, is it? Nope, that boat doesn’t float, folks. If a service is free, you are the product!
Generally speaking, privacytools.io has some good choices to choose from.
Hey Man, You Lost Me At “Security”
All of these security measures may seem a bit much for ordinary people to have to do, right? No. It does not. These are the bare minimum steps you need to take to secure your data.
Get with the program already. Your laissez-faire attitude about security is what is going to lead to your becoming a statistic in some future cybersecurity reports. Don’t be a sheep, be a wolf. Don’t be like the masses, protect yourself by following these basic cybersecurity best practices.
If you are tech-savvy enough to purchase computers and smartphones, then you need to learn how to properly secure them so you don’t become unnecessarily victimized.
***Trust No One. Verify Everything. Leave No Trace.***